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DETAILED ACTION 

This office action is in response to Applicant's Remarks and Amendments filed 
January 3, 2007. 

Claims 1,6,11, and 16 are amended. 

Claims 21-24 are cancelled. 

Claims 1-20 and 25-32 are herein considered. 

Response to Arguments 

Applicant's arguments filed January 3, 2007 have been fully considered but they 
are not persuasive. 

Applicant's arguments concerning Kramer and Kirby's failure to teach or suggest 
a key exchange adapted to repeatedly derive a cipher key such that the resulting cipher 
key changes over time are not persuasive for two reasons. First, Applicant admits 
within page 10 of his arguments that Kirby does in fact teach the use of a Kerberos 
Network Authentication system but argues that the reference fails to disclose wherein 
the authentication system repeatedly derives its keys. The Examiner would like to take 
this opportunity to bring to the Applicant's attention the specific inclusion of expiration 
times within Kerberos systems used to set the period after which a cipher key is to be 
re-generated and expired from use. Although it is the Examiner's opinion that this 
repeated derivation of keys is well known to those skilled in the art during the period in 
question, she has also chosen to include within her office action a copy of John Kohl 
and B. Clifford Neuman's "The Kerberos Network Authentication Service" wherein the 
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expiration of tickets and regeneration of cipher keys is clearly taught (see pages 5-6 of 
the specification specifically for an introduction to the use of expiration times and the 
repeated issuance of new tickets and new keys). The Examiner's second objection to 
the Applicant's arguments concerns Applicant's recitation of the intended use of the ^ 
claimed invention, namely that the " adapted to repeatedly derive a cipher key such 
that the resulting cipher key changes over time" must result in a structural difference 
between the claimed invention and the prior art in order to patentably distinguish the 
claimed invention from the prior art. If the prior art structure is capable of performing the 
intended use, then it meets the claim. In the instant scenario, it is clear that the prior art 
system relied upon is capable of repeatedly deriving a cipher key using its Kerberos 
system. 

Therefore, based on the above arguments, the Examiner maintains the rejections 
set forth in the previous office action and amended below in accordance with the 
Applicant's amendments. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 
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Claims 1-20 and 25-32 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Kraemer et al. (U.S. Patent No. 5,798,706), and further in view 
of International Patent Application Publication No. WO 97/26734. 

As per Claim 1, Kraemer et al. discloses an apparatus for detecting adversarial 
activity on a network, comprising a memory adapted to store a host table (see col. 3 
lines 46-60); a key exchanger; a translator adapted to translate predetermined portions 
of packet header information of a data packet, wherein the predetermined portions 
include an address (see col.4 lines 33-46); a mapping device adapted to map the 
address to the host table (see col. 3 line 60 thru col.4 line 2); a host resolution device 
adapted to issue a request to the network to resolve the address when the address 
does not match an entry in the host table and to supplement the host table with the 
address upon receipt of a reply to the request that indicates that the address is valid 
(col.4 lines 33-52); and an actuator adapted to trigger a security device when the 
address does not match an entry in the host table (see col.4 lines 3-5 and 20-32). 

Kraemer fails to specifically mention a key exchanger adapted to repeatedly 
derive a cipher key and a translator adapted to translate predetermined portions of 
packet header information of a data packet according to a cipher algorithm keyed by the 
cipher key. 

WO 97/26734 teaches a key exchanger adapted to repeatedly derive a cipher 
key (see WO 97/26734 page 8 lines 10-15, and page 1 1 line 31 thru page 13 line 5 
"Kerberos") and a translator adapted to translate predetermined portions of packet 
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header information of a data packet according to a cipher algorithm keyed by the cipher 
key (page 2). Examiner's Note: the Kerberos system relied upon by the WO 97/26734 
reference is known by those skilled in the art to include the expiration and regeneration 
of keys to enhance a system's security. 

It would have been obvious to a person of ordinary skill in the art at the time the 
invention was made to include within the Kraemer system a key exchanger adapted to 
repeatedly derive a cipher key and a translator adapted to translate predetermined 
portions of packet header information of a data packet according to a cipher algorithm 
keyed by the cipher key as described in WO 97/26734 to provide enhanced security 
capabilities. 

As per Claim 2, the combination of Kraemer and WO 97/26734 discloses an 
apparatus as set forth in Claim 1, wherein the security device is a logging device 
adapted to log fhe data packet (see Kraemer col.4 lines 3-5 and 26-31). 

As per Claim 3, the combination of Kraemer and WO 97/26734 discloses an 
apparatus as set forth in Claim 1, wherein the security device is adapted to signal an 
alarm when triggered (see Kraemer col.2 lines 27-31 and col.4 lines 20-25). 

As per Claim 4, the combination of Kraemer and WO 97/26734 discloses an 
apparatus as set forth in Claim 1, further comprising a host resolution device adapted to 
derive the host table using an address resolution protocol (see Kraemer col.4 lines 48- 
52). 

As per Claim 5, the combination of Kraemer and WO 97/26734 discloses an 
apparatus as set forth in Claim 1 , further comprising a network device adapted to place 
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the data packet onto a network when the address maps to the host table (Kraemer col.1 
line 66 through col.2 line 9 and col.2 lines 27-31). 

As per Claim 6, Kraemer et al. discloses a method for detecting adversarial 
activity on network, comprising storing a host table (see col. 3 lines 46-60); deriving a 
key; translating predetermined portions of packet header information of a data packet, 
wherein the predetermined portions include an address (see col.4 lines 33-46); mapping 
the address the host table (see col.3 line 60 thru col.4 line 2); issuing a request to the 
network to resolve the address when the address does not match an entry in the host 
table and supplementing the host table with the address upon receipt of a reply to the 
request that indicates that the address is valid (col.4 lines 33-52); and triggering a 
security device when the address does not match an entry in the host table (see col.4 
lines 3-5 and 20-32). 

Kraemer fails to specifically mention a key exchanger adapted to repeatedly 
derive a cipher key and a translator adapted to translate predetermined portions of. 
packet header information of a data packet according to a cipher algorithm keyed by the 
cipher key. 

WO 97/26734 teaches a key exchanger adapted to repeatedly derive a cipher 
key (see WO 97/26734 page 8 lines 10-15, and page 11 line 31 thru page 13 line 5 
"Kerberos") and a translator adapted to translate predetermined portions of packet 
header information of a data packet according to a cipher algorithm keyed by the cipher 
key (page 2). Examiner's Note: the Kerberos system relied upon by the WO 97/26734 
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reference is known by those skilled in the art to include the expiration and regeneration 
of keys to enhance a system's security. 

It would have been obvious to a person of ordinary skill in the art at the time the 
invention was made to include within the Kraemer system a key exchanger adapted to 
repeatedly derive a cipher key and a translator adapted to translate predetermined 
portions of packet header information of a data packet according to a cipher algorithm 
keyed by the cipher key as described in WO 97/26734 to provide enhanced security 
capabilities. 

As per Claim 7, the combination of Kraemer and WO 97/26734 discloses a 
method as set forth in Claim 6, further comprising logging the data packet when the 
address does not match an entry in the host table (see Kraemer col.4 lines 3-5 and 26- 
31). 

As per Claim 8, the combination of Kraemer and WO 97/26734 discloses a 
method as set forth in Claim 6, further comprising signaling an alarm when the security 
device is triggered (see Kraemer col. 2 lines 27-31 and col.4 lines 20-25). 

As per Claim 9, the combination of Kraemer and WO 97/26734 discloses a 
method as set forth in Claim 6, further comprising deriving the host table using an 
address resolution protocol (see Kraemer col.4 lines 48-52). 

As per Claim 10, the combination of Kraemer and WO 97/26734 discloses a 
method as set forth in Claim 6, further comprising placing the data packet onto a 
network when the address maps to the host table (see Kraemer col.4 lines 3-5 and 26- 
31). 
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As per Claim 11, Kraemer et al. discloses a device for detecting adversarial 
activity on a network, comprising means for storing a host table (see col. 3 lines 46-60); 
means for deriving a key; means for translating predetermined portions of header 
information of a data packet, wherein the predetermined portions include an address 
(see col.4 lines 33-46); means for mapping the address to the host table (see col.3 line 
60 thru col.4 line 2); means for issuing a request to the network to resolve the address 
when the address does not match an entry in the host table and supplementing the host 
table with the address upon receipt of a reply to the request that indicates that the 
address is valid (col.4 lines 33-52); and means for triggering a security device when the 
address does not match an entry in the host table (see col.4 lines 3-5 and 20-32). 

Kraemer fails to specifically mention means to repeatedly derive a cipher key and 
means to translate predetermined portions of packet header information of a data 
packet according to a cipher algorithm keyed by the cipher key. 

WO 97/26734 teaches the means to repeatedly derive a cipher key (see WO 
97/26734 page 8 lines 10-15, and page 11 line 31 thru page 13 line 5 "Kerberds") and 
the means to translate predetermined portions of packet header information of a data 
packet according to a cipher algorithm keyed by the cipher key (page 2). Examiner's 
Note: the Kerberos system relied upon by the WO 97/26734 reference is known by 
those skilled in the art to include the expiration and regeneration of keys to enhance a 
system's security. 

It would have been obvious to a person of ordinary skill in the art at the time the 
invention was made to include within the Kraemer system the means to repeatedly 



Application/Control Number: 09/928,133 Page 9 

Art Unit: 2137 

derive a cipiier key and the means translate predetermined portions of pacl^et header 
information of a data pacl<et according to a cipher algorithm keyed by the cipher key as 
described in WO 97/26734 to provide enhanced security capabilities. 

As per Claim 12, the combination of Kraemer and WO 97/26734 discloses a 
device as set forth in Claim 1 1 , further comprising means for logging the data packet 
when the address does not match an entry in the host table (see Kraemer col.4 lines 3- 
5 and 26-31). 

As per Claim 13, the combination of Kraemer and WO 97/26734 discloses a 
device as set forth in Claim 1 1 , further comprising means for signaling an alarm when 
the security device is triggered (see Kraemer col. 2 lines 27-31 and col.4 lines 20-25). 

As per Claim 14, the combination of Kraemer and WO 97/26734 discloses a 
device as set forth in Claim 1 1 , further comprising means for deriving the host table 
using an address resolution protocol (see Kraemer col.4 lines 48-52). 

As per Claim 15, the combination of Kraemer and WO 97/26734 discloses a 
device as set forth in Claim 1 1 , further comprising means for placing the data packet 
network when the address maps to the host table (see Kraemer col.4 lines 3-5 and 26- 
31). 

As per Claim 16, Kramer et al. discloses a bastion host adapted for processing 
packet header information of a data packet, the bastion host being operable to store a 
host table (see col. 3 lines 46-60) derive a key; translate predetermined portions of 
packet header information of a data packet, wherein the predetermined portions include 
an address (see col.4 lines 33-46); map the address to the host table (see col. 3 line 60 
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thru col.4 line 2); issuing a request to the network to resolve the address when the 
address does not match an entry in the host table and supplementing the host table with 
the address upon receipt of a reply to the request that indicates that the address is valid 
(col.4 lines 33-52); and trigger a security device when the address does not match an 
entry in the host table (see col.4 lines 3-5 and 20-32). 

Kraemer fails to specifically mention repeatedly deriving a cipher key and 
translating predetermined portions of packet header information of a data packet 
according to a cipher algorithm keyed by the cipher key. 

WO 97/26734 teaches a key exchanger adapted to repeatedly derive a cipher 
key (see WO 97/26734 page 8 lines 10-15, and page 11 line 31 thru page 13 line 5 
"Kerberos") and a translator adapted to translate predetermined portions of packet 
header information of a data packet according to a cipher algorithm keyed by the cipher 
key (page 2). Examiner's Note: the Kerberos system relied upon by the WO 97/26734 
reference is known by those skilled in the art to include the expiration and regeneration 
of keys to enhance a system's security. 

It would have been obvious to a person of ordinary skill in the art at the time the 
invention was made to include within the Kraemer system the means to repeatedly 
derive a cipher key and the means translate predetermined portions of packet header 
information of a data packet according to a cipher algorithm keyed by the cipher key as 
described in WO 97/26734 to provide enhanced security capabilities. 

As per Claim 17, the combination of Kraemer and WO 97/26734 discloses the 
bastion host as set forth in Claim 16, the bastion host being further operable to log the 
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data packet when the address does not match an entry in the host table (see Kraemer 
col.4 lines 3-5 and 26-31), 

As per Claim 18, the combination of Kraemer and WO 97/26734 discloses the 
bastion host as set forth in Claim 16, the bastion host being further operable to signal an 
alarm when the security device is triggered (see Kraemer col. 2 lines 27-31 and col.4 
lines 20-25). 

As per Claim 19, the combination of Kraemer and WO 97/26734 discloses the 
bastion host as set forth in Claim 16, the bastion host being further operable to derive 
the host table using an address resolution protocol (see Kraemer col.4 lines 48-52). 

As per Claim 20, the combination of Kraemer and WO 97/26734 discloses the 
bastion host as set forth in Claim 16, the bastion host being further operable to place 
the data packet onto a network when the address maps to the host table (see Kraemer 
col.4 lines 3-5 and 26-31). 

As per Claim 25, the combination of Kraemer and WO 97/26734 discloses 
wherein the address includes a network portion and an apparatus portion, and wherein 
said translator is adapted to translate the apparatus portion of the address without also 
translating the network portion of the address (see page 11 lines 17-22 of WO 
97/26734). 

As per Claim 26, the combination of Kraemer and WO 97/26734 discloses 
wherein the data packet includes a header with a plurality of fields carrying packet 
header information, wherein said translator is adapted to translate at least a portion of 
the packet header information in one or more predetermined fields of the header into a 
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translated packet header, the translated packet header including the translated packet 
header information in the one or more predetermined fields of the packet header 
interspersed with un-translated packet header information in fields other than the one or 
more fields of the packet header (WO 97/26734 page 7 line 31 through page 8 line 9). 

As per Claim 27, the combination of Kraemer and WO 97/26734 discloses 
wherein the address includes a network portion and an apparatus portion, and wherein 
translating predetermined portions of packet header information includes translating the 
apparatus portion of the address without also translating the network portion of the 
address (see page 11 lines 17-22 of WO 97/26734). 

As per Claim 28, the combination of Kraemer and WO 97/26734 discloses 
wherein the data packet includes a header with a plurality of fields carrying packet 
header information, wherein translating predetermined portions of packet header 
information comprises: 

translating at least a portion of the packet header information in one or more 
predetermined fields of the header into a translated packet header, the translated 
packet header including the translated packet header information in the one or more 
predetermined fields of the packet header interspersed with un-translated packet 
header information in fields other than the one or more fields of the packet header (WO 
97/26734 page 7 line 31 through page 8 line 9). 

As per Claim 29, the combination of Kraemer and WO 97/26734 discloses 
wherein the address includes a network portion and an apparatus portion, and wherein 
said means for translating predetermined portions of packet header information is 
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adapted to translate the apparatus portion of the address without also translating the 
network portion of the address (see page 1 1 lines 17-22 of WO 97/26734). 

As per Claim 30, the combination of Kraemer and WO 97/26734 discloses 
wherein the data packet includes a header with a plurality of fields carrying packet 
header information, wherein said means for translating predetermined portions of 
packet header information is adapted to translate at least a portion of the packet 
header information in one or more predetermined fields of the header, and is further 
adapted to copy the translated packet header information into the respective one or 
more fields of the header to thereby generate a translated packet header, the translated 
packet header including the translated packet header information in the one or more 
predetermined fields of the packet header interspersed with un-translated packet 
header information in one or more other fields of the packet header (WO 97/26734 page 
7 line 31 through page 8 line 9). 

As per Claim 31 , the combination of Kraemer and WO 97/26734 discloses 
wherein the address includes a network portion and an apparatus portion, and wherein 
the bastion host is operable to translate predetermined portions of packet header 
information including translating the apparatus portion of the address without also 
translating the network portion of the address (see page 1 1 lines 17-22 of WO 
97/26734). 

As per Claim 32, the combination of Kraemer and WO 97/26734 discloses 
wherein the data packet includes a header with a plurality of fields carrying packet 
header information, wherein the bastion host is operable to translate predetermined 
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portions of packet header information including: 

translating at least a portion of the packet header information in one or more 
predetermined fields of the header into a translated packet header, the translated 
packet header including the translated packet header information in the one or more 
predetermined fields of the packet header interspersed with unVtranslated packet 
header information in fields other than the one or more fields of the packet header (WO 
97/26734 page 7 line 31 through page 8 line 9). 

Conclusion 

The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. The Examiner has included with this office action a copy of John 
Kohl and B. Clifford Neumanns "The Kerberos Network Authentication Service" as 
additional support for the repeated derivation of keys within a Kerberos system. 

Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
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extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Tamara Teslovich whose telephone number is (571) 

272- 4241. The examiner can normally be reached on Mon-Fri 8-4:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Emmanuel Moise can be reached on (571) 272-3865. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 

273- 8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Centei; (EBC) at 866-217-9197 (toll-free). 
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